A closed-source SSH access platform you run on your own infrastructure. Distributed as a signed binary. Source-available under our enterprise license for audit and scanning.
Teams still rely on static SSH keys scattered across hundreds of servers. Keys never expire, nobody tracks who has access to what, and when someone leaves the organization, their keys linger on servers for months. There is no audit trail, no session recording, and no way to enforce least-privilege access.
Every SSH connection is a trust decision, but most organizations make those decisions once when they add a public key and never revisit them. The result is an unmanaged attack surface that grows with every new server and every new team member.
Mezite replaces static SSH keys with short-lived certificates issued on demand. Users authenticate once through SSO or local credentials and receive a time-limited certificate scoped to the resources they are authorized to reach. When the certificate expires, access stops. No keys to rotate, no authorized_keys files to manage.
Every SSH session is proxied through Mezite, which authenticates the user, checks their role, and records the session. Agents connect outbound through reverse tunnels, so target nodes never need to expose ports to the internet.
Mezite is exclusively focused on SSH access. The project was originally broader — database proxy, Kubernetes access, application proxy — but was intentionally re-focused to do one thing extremely well rather than many things adequately.
Your infrastructure, your data, your audit logs. No SaaS dependency, no phone-home telemetry, no vendor lock-in. Mezite runs on your hardware, in your network, under your control.
Mezite ships as a single signed binary. Deploy one binary and a PostgreSQL database. No JVM, no container orchestrator, no microservices graph. Upgrades mean replacing the binary.
Certificate-based auth, deny-overrides-allow RBAC, session recording, and audit logging are not add-ons. They are the foundation. Zero static credentials by design.
The server (mezhub) combines the Auth Service (gRPC on port 3025) and the Proxy
Service (HTTPS on 3080, SSH on 3023, reverse tunnels on 3024)
into a single signed binary. All state lives in PostgreSQL or
SQLite — your data, on your infrastructure.
The node agent (mezd) runs on each target server and connects back to the proxy via
a reverse tunnel. No inbound firewall rules required. The client
CLI (msh) handles login, certificate management, and SSH connections.
Mezite is proprietary software. We distribute signed binaries and container images — we do not publish the source publicly. This is a deliberate choice: it keeps build provenance and keys under our control, and reduces the surface for opportunistic source scanning.
Enterprise customers receive a source-available license granting rights to read, audit, scan, and pentest the code under NDA — for security teams, regulators, and compliance reviewers who need source-level assurance. Redistribution is not permitted.
Copyright 2026 Mezite, Inc. All rights reserved. Mezite is proprietary software. The binaries and container images are licensed under the Mezite Commercial License. Reverse engineering, decompilation, and redistribution are not permitted. Enterprise customers may receive a separate Source-Available License granting rights to read, audit, scan, and pentest the source code under NDA. See /docs/source-access for terms.
Try the managed control plane for free, license the self-hosted binary, or talk to us about Enterprise source access.